Agent Integration Patterns
TameFlare is a transparent HTTP proxy. It governs agent traffic at the network level, not the application level. This means compatibility depends on how the agent makes HTTP requests, not which framework it uses.
This page lists every known integration pattern, whether TameFlare supports it, and what you get.
Compatibility matrix
| # | Pattern | How the agent calls APIs | TameFlare support | Policy enforcement | Credential isolation | Audit trail | Notes |
|---|---|---|---|---|---|---|---|
| 1 | Agent with env var credentials | Agent reads STRIPE_SECRET_KEY from env, attaches to HTTP request | Full | Yes | Yes - agent gets dummy key, vault injects real key | Yes | Most common pattern. LangChain, CrewAI, n8n, custom agents. |
| 2 | Agent with extension/plugin credentials | Extension (e.g., OpenClaw skill, n8n node) has its own credential store and attaches real key to HTTP request | Full (policy + audit) | Yes | No - extension already has real key. TameFlare passes it through. | Yes | You still get action-level allow/deny/approval and full audit trail. Credential isolation requires migrating keys to TameFlare vault. |
| 3 | MCP server (Streamable HTTP transport) | Agent calls MCP server via POST /mcp over HTTP. MCP server calls upstream APIs over HTTP. | Full (both hops) | Yes - both the agent→MCP and MCP→upstream hops are HTTP | Yes - if MCP server process runs through tf run | Yes | Wrap the MCP server process with tf run to intercept its outbound traffic. The agent→MCP hop is also intercepted if the agent runs through tf run. |
| 4 | MCP server (stdio transport) | Agent launches MCP server as local subprocess, communicates via stdin/stdout. MCP server calls upstream APIs over HTTP. | Partial | Only the MCP server's outbound HTTP calls (if the MCP server process inherits proxy env vars) | Only for outbound HTTP | Only for outbound HTTP | The agent↔MCP communication is local IPC (stdin/stdout), not HTTP - TameFlare cannot intercept it. But the MCP server's outbound API calls are HTTP and can be proxied if env vars are inherited. |
| 5 | Agent using HTTP library that respects proxy env vars | Python requests, httpx, urllib3; Node http/https, axios, node-fetch; Go net/http; Java HttpClient; Rust reqwest | Full | Yes | Yes | Yes | This covers the vast majority of HTTP libraries. The OS-level HTTP_PROXY/HTTPS_PROXY convention is widely supported. |
| 6 | Agent using HTTP library that ignores proxy env vars | Some low-level or custom HTTP clients (raw sockets, custom TLS, curl without --proxy) | None | No | No | No | Rare. Most production HTTP libraries respect proxy env vars. If you encounter this, configure the library to use a proxy explicitly. |
| 7 | Agent making local function calls | Agent calls a Python/JS function that internally calls an API (e.g., Stripe SDK stripe.charges.create()) | Full (if SDK uses HTTP internally) | Yes - the Stripe SDK makes HTTP requests under the hood, which go through the proxy | Yes | Yes | SDKs like stripe-python, openai-python, slack-sdk all use requests or httpx internally, which respect proxy env vars. |
| 8 | Agent calling local services (localhost) | Agent calls http://localhost:8080/api/... or similar local endpoints | Full | Yes - local HTTP traffic goes through the proxy | Depends on connector config | Yes | Matched by the generic HTTP connector. Useful for governing internal service calls. |
| 9 | Agent using WebSocket connections | Agent opens a persistent WebSocket to an API (e.g., real-time streaming) | None | No | No | No | TameFlare's proxy handles HTTP/HTTPS request-response cycles. WebSocket upgrade requests are not currently intercepted. Future consideration. |
| 10 | Agent using gRPC | Agent calls APIs via gRPC (HTTP/2 + protobuf) | None | No | No | No | gRPC uses HTTP/2 but with binary framing that TameFlare's connectors cannot parse into structured action types. Future consideration. |
| 11 | Agent using GraphQL | Agent sends GraphQL queries/mutations over HTTP POST | Partial | Yes - HTTP request is intercepted. Action type is generic (generic.post) unless a custom connector parses the GraphQL body. | Yes | Yes | The generic HTTP connector matches by domain + HTTP method. A custom connector could parse the GraphQL operation name for richer action types (e.g., github.graphql.mutation.mergePullRequest). |
| 12 | Agent running in a container (Docker) | Agent process runs inside a Docker container | Full | Yes | Yes | Yes | Set HTTP_PROXY and HTTPS_PROXY env vars in the container, pointing to the gateway running on the host (or as a sidecar). Use tf run inside the container or configure proxy env vars in docker-compose.yml. |
| 13 | Agent running in CI/CD (GitHub Actions, etc.) | Agent runs as part of a CI pipeline | Full | Yes | Yes | Yes | Install CLI, run tf init --gateway-id gw_xxx --gateway-token gwtk_xxx, then tf run -- your-agent-command. See CI/CD Integration. |
| 14 | Multi-agent orchestration (CrewAI, AutoGen) | Multiple agents share one process, each making HTTP calls | Full (shared gateway) | Yes - all agents in the process share the same proxy | Yes - all agents share the same credential vault | Yes - audit trail shows gateway name, not individual agent | For per-agent isolation, run each agent as a separate process with its own gateway. |
| 15 | Agent-to-agent HTTP calls | Agent A calls Agent B via HTTP (e.g., A2A protocol) | Full | Yes - the HTTP call goes through the proxy | Depends on config | Yes | Both the inter-agent call and Agent B's outbound calls are governed if both run through tf run. |
| 16 | Browser-based agent (client-side JS) | Agent runs in a web browser and makes fetch() calls | None | No | No | No | Browsers do not respect HTTP_PROXY env vars. Browser-based agents would need a server-side proxy relay. Not a current use case for TameFlare. |
| 17 | Serverless function (AWS Lambda, Cloudflare Workers) | Agent runs as a serverless function | Partial | Yes - if HTTP_PROXY env vars are set in the function config | Yes | Yes | The gateway must be network-reachable from the serverless environment. Latency may increase due to proxy hop. |
| 18 | SSH / non-HTTP protocols | Agent executes commands via SSH, FTP, SMTP, or other non-HTTP protocols | None | No | No | No | TameFlare is an HTTP/HTTPS proxy. Non-HTTP protocols are not intercepted. |
Decision flowchart
Use this to determine if TameFlare can govern a specific agent action:
1. Does the action result in an outbound HTTP/HTTPS request?
├─ NO → TameFlare cannot intercept it (WebSocket, gRPC, SSH, stdio, etc.)
└─ YES ↓
2. Does the HTTP library respect HTTP_PROXY / HTTPS_PROXY env vars?
├─ NO → Configure the library to use a proxy explicitly, or switch libraries
└─ YES ↓
3. Is the agent process started with `tf run` (or proxy env vars set manually)?
├─ NO → Traffic bypasses TameFlare entirely
└─ YES ↓
4. Does a connector match the target domain?
├─ NO → Generic HTTP connector handles it (domain + HTTP method only)
└─ YES → Full structured action types, rich parameters, risk classification
Result: TameFlare enforces policies, logs audit trail, and optionally isolates credentials.
Credential isolation: when it works and when it doesn't
| Scenario | Credential isolation? | How |
|---|---|---|
| Agent reads API key from env var | Yes | Give agent a dummy key. TameFlare strips it and injects the real key from the vault. |
| Agent uses SDK that reads env var internally | Yes | Same as above - the SDK's HTTP requests go through the proxy. |
| Extension/plugin has its own credential store | No (by default) | The extension attaches the real key before the request reaches TameFlare. Migrate keys to TameFlare vault for full isolation. |
| MCP server holds its own credentials | No (by default) | Same as extensions. The MCP server attaches credentials to its outbound requests. |
| Agent hardcodes credentials in source code | No | The agent attaches the key directly. TameFlare can still enforce policies and audit, but cannot strip/replace the key. |
Future considerations
These patterns are not currently supported but could be engineered:
| Pattern | Challenge | Potential approach |
|---|---|---|
| WebSocket interception | Persistent bidirectional connection, not request-response | Intercept the HTTP upgrade request, then proxy the WebSocket frames. Would require frame-level parsing for action types. |
| gRPC interception | Binary protobuf encoding, HTTP/2 multiplexing | Decode protobuf messages using service descriptors. Requires the .proto file or reflection API. |
| GraphQL-aware connector | Single endpoint, action type embedded in query body | Parse GraphQL operation name and type (query/mutation/subscription) from the POST body. Map to structured action types. |
| Browser agent support | No HTTP_PROXY in browsers | Provide a JavaScript SDK or service worker that routes fetch() through a TameFlare relay endpoint. |
| stdio MCP interception | Local IPC, not network traffic | Wrap the stdin/stdout pipe with a TameFlare shim that parses JSON-RPC messages and applies policies before forwarding. |
| Outbound DNS filtering | Agent resolves domains before connecting | Integrate with DNS to block resolution of unauthorized domains, complementing HTTP-level enforcement. |
Quick reference by framework
| Framework | Typical pattern | TameFlare support | Setup |
|---|---|---|---|
| LangChain | Env var credentials + requests library | Full | tf run -- python agent.py |
| CrewAI | Env var credentials + requests library | Full | tf run -- python crew.py |
| n8n | Built-in credential store + axios | Full (policy + audit) | tf run -- n8n start |
| OpenClaw | Skills with own credentials + requests | Full (policy + audit) | tf run -- openclaw start |
| Claude Code | Anthropic API key from env + fetch | Full | tf run -- claude |
| Cursor / Windsurf | IDE extension, own credential management | Partial - only if IDE's HTTP calls respect proxy env vars | Set HTTP_PROXY in IDE config or terminal env |
| AutoGen | Env var credentials + httpx | Full | tf run -- python autogen_script.py |
| MCP servers (HTTP) | Server holds credentials, Streamable HTTP transport | Full | tf run -- node mcp-server.js |
| MCP servers (stdio) | Server holds credentials, stdin/stdout transport | Partial - outbound HTTP only | Ensure MCP server process inherits proxy env vars from parent |
| Custom agents | Varies | Full if HTTP + proxy-aware library | tf run -- your-command |
Next steps
- Integration Guide - step-by-step setup for your first agent
- Connectors - all 8 built-in connectors and how they parse requests
- Proxy Behavior - technical reference for how the proxy handles requests
- Building a Custom Connector - extend TameFlare for APIs we don't cover yet